Apple blacklists Java on OS X to prevent latest “critical” exploits

Apple's automated system is allowing for a fast response to malware threats.

Apple has blacklisted the latest version of the Java browser plugin to protect Mac users from the latest Java exploits. As noted by MacRumors, OS X now requires a newer, as-yet unreleased version of the Java plugin which is expected to patch a flaw that resulted from an incomplete patch added to Java last year.

Previously, OS X required point software updates in order to update its built-in protections against malware. Now, however, Apple can quickly update a malware definition file called Xprotect.plist, and OS X will check a secure Apple server for these updates on a daily basis. As of Friday, Apple has blacklisted the latest version of the Java plugin in Xprotect.plist, requiring a newer version to run Java applets in a browser.

The latest known security hole in Java is already being "massively exploited in the wild," according to security researchers. The US Computer Emergency Readiness Team (CERT) issued a warning that Java should be disabled in browsers until a patch is released by Oracle.

The Java browser plugin has been exploited in several critical malware attacks in recent months, including the high-profile Flashback malware campaign that targeted Macs in early 2012. As Apple has looked to increase the security of OS X, it has increasingly distanced itself from Java over the last couple of years. Apple deprecated its own version of Java in 2010 and removed the browser plugin from default installs of OS X last October.

Chris, this story skims a bit lightly over material that affects virtually ALL users, and is a key concern of certain IT Tsars in dictating security policy.

If it's useful, it'd be nice to see a sharp distinction between the JRE and Java v 7 plugin. When does one get invoked vs the other? Is the plugin the only vector by which the malware can be installed? How about java-based apps on your (actually, MY) Mac?

What's the history of the PLIST? What versions of OSX check, how frequently? How well protected are older versions of OSX?

What's the range of java versions that are addressable by the malware? A report I saw showed 4 thru 7, but most merely mention 7.

I still have both Java and Flash disabled until I run into a page that needs them, but I feel better now about those times I forget to disable one after I'm finished using it.

If you're using chrome, you can set plugins to "click to play" in advanced settings (content settings). It makes plugins like Java and Flash available, but not without your say-so. You can also whitelist sites in the same area in settings. (Great for YouTube, vimeo, and what not.) It's been working well for me for months now.

I love how Apple just says "Java, you be trippin'" in OSX now. Won't let it run in browser unless you manually activate it (and auto deactivates after a week of non-use), and just overall makes sure that Java can't fuck shit up

I use a Java app weekly, in the browser, to upload the data from my daughters Diabetes insulin pump. I send this data to her Endocryn. for review. Does this mean I'm going to be locked-out from using that app until there's an update from Oracle? Can I just switch from Safari to another browser?

Am I understanding this right. if I have a Mac Apple will tell me what software I'm allowed to run on my computer and will actually disable what I've already installed? And I have no say in the matter?

I'm not a Mac user so I may be missing something but this seems like Big Brother taken to an absurd level.

Not exactly. If you want to use the Java browser plugin (a better question is why would you...), you can still use it in every non-Apple browser (i.e. anything not named 'Safari'). Although, at least Chrome also blocks known-bad plugins as well. Not sure about Firefox/IE/Opera, but hopefully they'll start doing that soon as well.

Not sure if Apple does the block with the Windows version of Safari as well... but who uses that?

Am I understanding this right. if I have a Mac Apple will tell me what software I'm allowed to run on my computer and will actually disable what I've already installed? And I have no say in the matter?

I'm not a Mac user so I may be missing something but this seems like Big Brother taken to an absurd level.

Apple have frequently been criticized for not taking security seriously. Now that they are they still get criticized. Most users are unaware of the potential threat of insecurities in Java so it would seem to be a sensible approach for Apple to disable Java by default and people can switch it on if they need it.

Judging by your almost hysterical reaction to something that doesn't even affect you I can only assume your knee must be jerking considerably.

I love how Apple is enforcing what you can and cannot run on 'your' PC and you call it a feature then act surprised when some software you are trying to run just does not run because Apple thought it knows what is best for you better than you know yourself.

I use a Java app weekly, in the browser, to upload the data from my daughters Diabetes insulin pump. I send this data to her Endocryn. for review. Does this mean I'm going to be locked-out from using that app until there's an update from Oracle? Can I just switch from Safari to another browser?

Someone further up mentioned that Chrome has a 'click to play' option for Java and Flash which means you can choose to play what you want when the plug in is requested but it will not automatically run stuff you have not requested. This might be the safest bet for you. You can install the 'click2Flash' plugin for Safari but I am not aware of a similar plugin for Java.

You can check what is running in Safari by clicking the security tab in Safari Preferences. I have Java turned off anyway, but leave Javascript turned on. If currently you have Java installed then it likely as not will work in Safari but if not, Chrome should do the trick.

I use a Java app weekly, in the browser, to upload the data from my daughters Diabetes insulin pump. I send this data to her Endocryn. for review. Does this mean I'm going to be locked-out from using that app until there's an update from Oracle? Can I just switch from Safari to another browser?

Someone further up mentioned that Chrome has a 'click to play' option for Java and Flash which means you can choose to play what you want when the plug in is requested but it will not automatically run stuff you have not requested. This might be the safest bet for you. You can install the 'click2Flash' plugin for Safari but I am not aware of a similar plugin for Java.

You can check what is running in Safari by clicking the security tab in Safari Preferences. I have Java turned off anyway, but leave Javascript turned on. If currently you have Java installed then it likely as not will work in Safari but if not, Chrome should do the trick.

Thanks. Quick follow-up: I already have Firefox installed (although I almost never use it). Would that still work? I'd rather not install a third browser.

Am I understanding this right. if I have a Mac Apple will tell me what software I'm allowed to run on my computer and will actually disable what I've already installed? And I have no say in the matter?

I'm not a Mac user so I may be missing something but this seems like Big Brother taken to an absurd level.

Not exactly. If you want to use the Java browser plugin (a better question is why would you...), you can still use it in every non-Apple browser (i.e. anything not named 'Safari'). Although, at least Chrome also blocks known-bad plugins as well. Not sure about Firefox/IE/Opera, but hopefully they'll start doing that soon as well.

Not sure if Apple does the block with the Windows version of Safari as well... but who uses that?

Ok, so it only blocks it on Safari, that makes much more sense, the linked article only said

Quote:

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed.

It is good that Apple has this malware feature. It is good that they are attempting to disable plugins, etc. with know security issues ASAP. It would be even better for power users if they provided a whitelist like capability to allow vulnerable plugins to be used when getting content from specific sites. They could likely figure out a nice way to make this work however having the ability to bypass opens the door to social engineering attacks that folks seem to fall for all to easily... it is a had line to walk, so I am not surprise they chose the we will attempt to protect you even if it causes you temporary inconvenience.

...personally I feel the use of Java applets needs to go away. They should instead package up Java applications that can be downloaded, etc. IMHO if that is what they choose to use for their development.

For example I use the Cisco VPN native client directly instead of the flaky Java applet into native client flow that their VPN web portal uses. This native client is able to update itself, etc. all without having the need of Java being installed on my system let alone the Java plugin.

(note I do have a few JVM installs on my Mac systems since I develop server side components in Java, so in no way am I a Java hater)

So how can I bypass this restriction? At the moment, I can't log into my company's Juniper VPN because it requires a Java client to run a host check process.

Download the new Java from Oracle. Our Open Text DAM at work just blocked me for having an out of date Java install, and popped up a link to the Oracle download site. (That's the one really slick thing this million dollar DAM does well.)

I love how Apple is enforcing what you can and cannot run on 'your' PC and you call it a feature then act surprised when some software you are trying to run just does not run because Apple thought it knows what is best for you better than you know yourself.

And if they didn't do this, and there was a wide outbreak amongst Mac users, I suspect you would be one of the first to exclaim "Apple's security model sucks!"

Apple is not dictating what you can run on your PC. They are dictating minimum secure versions of plugins for their browser, Safari.

Mac OS X comes with great free dev tools based on LLVM and Clang. You can compile and run whatever the hell you want.

Am I understanding this right. if I have a Mac Apple will tell me what software I'm allowed to run on my computer and will actually disable what I've already installed? And I have no say in the matter?

I'm not a Mac user so I may be missing something but this seems like Big Brother taken to an absurd level.

Not exactly. If you want to use the Java browser plugin (a better question is why would you...), you can still use it in every non-Apple browser (i.e. anything not named 'Safari'). Although, at least Chrome also blocks known-bad plugins as well. Not sure about Firefox/IE/Opera, but hopefully they'll start doing that soon as well.

Not sure if Apple does the block with the Windows version of Safari as well... but who uses that?

Ok, so it only blocks it on Safari, that makes much more sense, the linked article only said

Quote:

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed.

which made it sound like a complete ban.

With the way you were trolling, I'm surprised that you read it at all. Too quick to jerk your knee...

Am I understanding this right. if I have a Mac Apple will tell me what software I'm allowed to run on my computer and will actually disable what I've already installed? And I have no say in the matter?

I'm not a Mac user so I may be missing something but this seems like Big Brother taken to an absurd level.

Apple have frequently been criticized for not taking security seriously. Now that they are they still get criticized. Most users are unaware of the potential threat of insecurities in Java so it would seem to be a sensible approach for Apple to disable Java by default and people can switch it on if they need it.

Judging by your almost hysterical reaction to something that doesn't even affect you I can only assume your knee must be jerking considerably.

Asking a question is a hysterical reaction? Must be nice to have such blind loyalty....

Asking a question with a Big Brother accusation before getting any information is kind of over reacting. Lucky for you a really dumb troll got people's attention.

While I like that Apple is proactive, what sucks is that they tell you nothing.

Last night, I decide to set up an account on my MacBook Air for my mother in law. She loves coupon sites and sadly, most of them rely on Java. I would go to Oracle's site and run the Java test applet and I'd get "Plugin Blocked" in Safari. I then get a notification my Java is out of date and Safari is blocking it. I get prompted to install Java 7 update 10 ... which I already had. No information about a zero day vulnerability, just an unhelpful message on a loop.

I appreciate what they're trying to do. Had they pointed me to *ANY* resource I could have saved myself a lot of time. Figures I'd try to set up a JRE the day they block it.

I think he is referring to the fact that there are some very high profile sites that use Java in the backend extensively (Ever heard of Twitter? Java is one of it's main backend technologies, along side Ruby and others I can't recall).